b'              The Audit Trail System for Detecting Improper\n                Activities on Modernized Systems Is Not\n                               Functioning\n\n                                    August 2004\n\n                       Reference Number: 2004-20-135\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                    August 18, 2004\n\n\n\n       MEMORANDUM FOR CHIEF, MISSION ASSURANCE\n\n\n       FROM:                        Gordon C. Milbourn III\n                                    Acting Deputy Inspector General for Audit\n\n       SUBJECT:                     Final Audit Report - The Audit Trail System for Detecting\n                                    Improper Activities on Modernized Systems Is Not Functioning\n                                    (Audit # 200420026)\n\n\n       This report represents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n       audit trail system for modernized projects. The overall objective of this review was to\n       assess the availability of audit trail data used to monitor computer activity on the IRS\xe2\x80\x99\n       modernized systems.\n       In summary, the Security Audit and Analysis System (SAAS) represents the IRS\xe2\x80\x99\n       solution for audit trail collection and review for both modernized computer systems and\n       the Integrated Data Retrieval System.1 The PRIME contractor2 developed the SAAS as\n       part of the IRS\xe2\x80\x99 modernization efforts. Conceptually, the SAAS is intended to gather\n       audit trail information from IRS systems and store this information in a central database\n       that IRS management, computer incident response team members, and Treasury\n       Inspector General for Tax Administration (TIGTA) investigators could access. The\n       SAAS is intended to enable these users to generate reports and create custom queries\n       to detect unauthorized activities and facilitate the reconstruction of events if\n       unauthorized activities occurred.\n\n\n\n\n       1\n         The IRS computer system capable of retrieving or updating stored information; it works in conjunction with a\n       taxpayer\xe2\x80\x99s account records.\n       2\n         Computer Sciences Corporation serves as the PRIME contractor to design and develop modernization programs\n       and projects for the IRS. The Business Systems Modernization Office within the IRS coordinates and oversees the\n       work of the PRIME contractor.\n\x0c                                                         2\n\nCurrently, the SAAS contains audit trail information from the IRS\xe2\x80\x99 e-Services3 and\nInternet Refund Fact of Filing4 modernized applications. Additionally, it contains data\nfrom the Audit Trail Lead Analysis System used by the TIGTA to detect and investigate\nunauthorized accesses to taxpayer information (UNAX)5 by IRS employees.\nHowever, software performance and functionality problems with the SAAS have\nprevented users from accessing the SAAS data once it has been collected. In\nNovember 2002, the PRIME contractor delivered the SAAS to the IRS. The IRS was\naware that the SAAS did not meet IRS requirements but formally accepted the system\nwith the caveat that the system deficiencies were to be addressed. To date, the\nproblems have not been fully resolved. The IRS should not have accepted the SAAS,\nknowing that the system did not meet all the software performance and functionality\nrequirements of its users.\nAs a result, the ability to detect improper activity on IRS computer systems has been\ndiminished. Specifically:\n\xe2\x80\xa2   IRS business units cannot use the SAAS for identifying questionable activities on\n    modernized applications.\n\xe2\x80\xa2   The IRS\xe2\x80\x99 Computer Security Incident Response Center cannot use the SAAS for\n    identifying unauthorized intrusions.\n\xe2\x80\xa2   The TIGTA cannot use the SAAS for identifying UNAX violations.\nBusiness unit managers of modernized applications are primarily responsible for\nidentifying questionable activities on their applications. However, operating procedures\nfor reviewing SAAS data for modernized applications have not been developed. The\nOffice of Mission Assurance, as the business leader of the SAAS, did not actively assist\nand facilitate requirements until January 2004. As a result, even if the SAAS were\nfunctioning as intended, the IRS would not be able to effectively review audit trail data.\nWithout a functioning audit trail process, the IRS\xe2\x80\x99 ability to detect unauthorized activities\non its current modernized systems is lessened. Future modernization applications will\nrely solely on the audit trail functions provided through the SAAS. The inability to detect\nunauthorized activities is a significant security risk that should weigh heavily on whether\nfuture modernization applications should be accredited and implemented. Not having\noperating procedures, problems with software performance and functionality, and\ndelays in addressing software problems collectively indicate that the IRS has not\ndevoted sufficient attention to the review of audit trails.\n\n\n\n3\n  Provides electronic products and services for specific customer segments (e.g., application for preparer tax\nidentification number and registration for electronic return originators).\n4\n  Provides refund status information to taxpayers with Internet access and guidance to the taxpayers about what steps\nto follow to resolve issues with their refunds.\n5\n  Unauthorized access and inspection of returns and return information as established in the Taxpayer Browsing\nProtection Act, 26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n\x0c                                             3\n\nWe recommended that the Chief, Mission Assurance, ensure the SAAS performance\nand functionality requirements are adequately tested and implemented to perform query\nand report generation. Also, SAAS operational procedures (e.g., who will review audit\ntrails, what information is needed, and for what purpose) should be fully developed and\nfinalized so that business units can conduct audit trail reviews of system and user\nactivities in modernized applications. In addition, periodic compliance reviews should\nbe conducted to ensure business units carry out their roles and responsibilities to review\naudit trails, and alternatives should be developed for reviewing audit trails for\nmodernized applications in the event the SAAS deficiencies cannot be corrected.\nManagement\xe2\x80\x99s Response: Management concurred with three of our recommendations\nand partially concurred with one recommendation. The Office of Mission Assurance will\nparticipate in testing the SAAS to help ensure that audit trail information is available and\nretrievable to detect unauthorized activities, provide operating procedures to help\nbusiness owners analyze SAAS information, monitor compliance with operating\nprocedures, and enhance its certification procedures for systems and applications to\nensure that audit trail procedures are available.\nManagement partially agreed with our recommendation to develop alternatives for\nmodernized applications audit trails in the event that SAAS deficiencies cannot be\ncorrected. The IRS is committed to ensuring that the SAAS contains the necessary\nstorage and processing capability to allow users to retrieve and analyze information.\nHowever, if necessary, the IRS will consider alternative approaches for identifying\nunauthorized access and intrusion detection for modernization applications that may not\ncontain taxpayer information. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix V.\nOffice of Audit Comment: We are hopeful that the IRS meets its new goal for making\nthe SAAS functional by October 2004. However, if delays persist, we would encourage\nthe IRS to begin looking for alternatives to the SAAS. While we still believe our\nrecommendation is worthwhile, we do not intend to elevate our disagreement\nconcerning it to the Department of the Treasury for resolution.\nAlthough the Chief, Mission Assurance, agreed with most of our recommendations, the\nresponse stated that the SAAS met all defined requirements and passed all tests. As\nwe noted in the report, the IRS accepted the SAAS in November 2002, although it was\naware that reports for detecting unauthorized access could not be generated in a\nproduction environment. Later in the response, the Chief, Mission Assurance,\nrecognized that the SAAS is not expected to be functional until October 2004.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c                     The Audit Trail System for Detecting Improper Activities on\n                              Modernized Systems Is Not Functioning\n\n\n\n\n                                                Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Security Audit and Analysis System Was Accepted Although\nIt Did Not Meet Performance Requirements.............................................. Page 2\n         Recommendations 1 and 2: ............................................................ Page 5\n\nProcedures for Reviewing Audit Trails on the Security Audit and\nAnalysis System Have Not Been Developed............................................. Page 6\n         Recommendations 3 and 4: ................................................. Page 7\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ....................... Page 8\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 9\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\nAppendix IV \xe2\x80\x93 Outcome Measures ............................................................ Page 11\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 12\n\x0c             The Audit Trail System for Detecting Improper Activities on\n                      Modernized Systems Is Not Functioning\n\n                                Even the best controls designed to prevent improper\nBackground\n                                computer activity can be circumvented with the proper\n                                expertise. Hackers, and particularly disgruntled employees\n                                and contractors who already have access to a system, may\n                                attempt to circumvent the Internal Revenue Service (IRS)\n                                controls to gain access to sensitive information or to\n                                vandalize computer data and processing. To help minimize\n                                these risks, Federal Government agencies are required to run\n                                and review audit trails routinely to detect improper activity.\n                                The Department of the Treasury procedures require that\n                                audit trails be sufficient in detail to facilitate the\n                                reconstruction of events if unauthorized activity or a\n                                malfunction occurs or is suspected. These procedures also\n                                state that designated personnel must review audit trails at\n                                least weekly for systems that contain sensitive information.\n                                The IRS\xe2\x80\x99 procedures require that, at a minimum, audit trails\n                                must include sufficient information to establish what events\n                                occurred, when the events occurred, and who (or what)\n                                caused them.\n                                Conceptually, the Security Audit and Analysis\n                                System (SAAS) was intended to meet the IRS\xe2\x80\x99 audit trail\n                                needs for both modernized computer systems and the\n                                Integrated Data Retrieval System (IDRS).1 The SAAS was\n                                to collect key information necessary to detect improper\n                                activities and to reconstruct events for potential criminal\n                                investigations and store it in a central database warehouse so\n                                that authorized users could generate reports and create\n                                custom queries.\n                                The PRIME contractor2 developed the SAAS for the IRS.\n                                The intended users of the SAAS include:\n                                \xe2\x80\xa2   IRS management to review questionable activities on its\n                                    systems.\n                                \xe2\x80\xa2   The IRS\xe2\x80\x99 Computer Security Incident Response Center\n                                    (CSIRC) to detect and respond to computer security\n\n                                1\n                                  IRS computer system capable of retrieving or updating stored\n                                information; it works in conjunction with a taxpayer\xe2\x80\x99s account records.\n                                2\n                                  Computer Sciences Corporation serves as the PRIME contractor to\n                                design and develop modernization programs and projects for the IRS.\n                                The Business Systems Modernization Office within the IRS coordinates\n                                and oversees the work of the PRIME contractor.\n                                                                                                Page 1\n\x0c               The Audit Trail System for Detecting Improper Activities on\n                        Modernized Systems Is Not Functioning\n\n                                      incidents targeting the IRS\xe2\x80\x99 enterprise information\n                                      technology assets.\n                                  \xe2\x80\xa2   The Treasury Inspector General for Tax Administration\n                                      (TIGTA) to detect and investigate unauthorized accesses\n                                      to taxpayer information (UNAX)3 by IRS employees.\n                                      Although the TIGTA is a user of the SAAS system, IRS\n                                      management is primarily responsible for the review and\n                                      analysis of audit trail information.\n                                  This review was performed in the Offices of the\n                                  Chief Information Officer and the Chief, Mission\n                                  Assurance, at the IRS National Headquarters and in\n                                  New Carrollton, Maryland, during the period\n                                  December 2003 through March 2004. The audit was\n                                  conducted in accordance with Government Auditing\n                                  Standards. Detailed information on our audit objective,\n                                  scope, and methodology is presented in Appendix I. Major\n                                  contributors to the report are listed in Appendix II.\n                                  In November 2002, the PRIME contractor delivered the\nThe Security Audit and Analysis\n                                  SAAS to the IRS. The SAAS is collecting and storing audit\nSystem Was Accepted Although\n                                  trail information from some IRS applications into the\nIt Did Not Meet Performance\n                                  database warehouse.\nRequirements\n                                  A number of these records are from the Audit Trail Lead\n                                  Analysis System (ATLAS) that obtains and analyzes audit\n                                  trail information from the IDRS. The SAAS also contains\n                                  audit trail information from the IRS\xe2\x80\x99 e-Services4 and\n                                  Internet Refund Fact of Filing (IRFoF)5 modernized\n                                  applications and audit trails from various security devices\n                                  (e.g., firewalls and intrusion detection systems). As of\n                                  January 2004, the database warehouse contained an\n                                  estimated 9 billion records.\n\n\n\n                                  3\n                                    Unauthorized access and inspection of returns and return information\n                                  as established in the Taxpayer Browsing Protection Act, 26 U.S.C.A.\n                                  \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n                                  4\n                                    Provides electronic products and services for specific customer\n                                  segments (e.g., application for preparer tax identification number and\n                                  registration for electronic return originators).\n                                  5\n                                    Provides refund status information to taxpayers with Internet access\n                                  and guidance to the taxpayers about what steps to follow to resolve\n                                  issues with their refunds.\n                                                                                                  Page 2\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n                   However, none of the users can query the information and\n                   generate reports because of SAAS software performance\n                   and functionality problems. The IRS was aware that the\n                   SAAS did not meet IRS requirements but formally accepted\n                   the system with the caveat that the system deficiencies were\n                   to be addressed. Specifically, the IRS noted that the SAAS\n                   could not yet produce reports currently available in the\n                   ATLAS and that query response times would have to match\n                   the ATLAS response times. The IRS should not have\n                   accepted the SAAS, knowing that the system did not meet\n                   all the software performance and functionality requirements\n                   of its users.\n                   The functionality and software performance problems of the\n                   SAAS prevent the IRS business units from using it for\n                   identifying questionable activities on modernized\n                   applications.6 New applications such as e-Services and\n                   IRFoF are highly sensitive since the applications will allow\n                   taxpayers and practitioners access to tax account\n                   information. Without a review of audit trail data, suspicious\n                   activities could go undetected on these systems.\n                   Future modernization applications will also rely on the audit\n                   trail functions provided through the SAAS. Not having an\n                   effective audit trail review process is a significant security\n                   weakness that should weigh heavily on whether to accredit\n                   future modernization applications. Examples of\n                   applications that will provide key tax administration\n                   processes in the future include the Customer Account Data\n                   Engine,7 Custodial Accounting Project,8 and the Integrated\n                   Financial System.9\n                   In addition, the functionality and software problems of the\n                   SAAS prevent the CSIRC from using it for identifying\n\n                   6\n                     The IRS has hundreds of legacy systems where little has been done in\n                   the past to identify suspicious activities by reviewing audit trail data.\n                   Audit trail data from these systems has not been provided to the SAAS,\n                   and the IRS has no plans to do so.\n                   7\n                     Intended to provide an online modernized data infrastructure to house\n                   authoritative taxpayer account and return information.\n                   8\n                     Intended to provide the IRS a data warehouse of detailed taxpayer\n                   account information used for analysis and financial reporting.\n                   9\n                     Intended to integrate the majority of IRS\xe2\x80\x99 internal financial\n                   management processes to better budget, plan, track, report, and manage\n                   finances.\n                                                                                     Page 3\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n                   unauthorized intrusions. The CSIRC is responsible for\n                   identifying unauthorized intrusions into the IRS\xe2\x80\x99 computer\n                   system. Currently, it carries out this responsibility by\n                   reviewing audit trails from various systems and security\n                   devices.\n                   To enhance its ability to detect unauthorized intrusions, the\n                   CSIRC had planned to store intrusion detection system logs\n                   from multiple locations on the SAAS. However,\n                   functionality and software performance problems prevent\n                   the CSIRC from querying the intrusion detection data on the\n                   SAAS.\n                   The PRIME contractor was not aware of this problem until\n                   almost a year after it delivered the SAAS because the\n                   CSIRC had not submitted a help-desk ticket describing the\n                   problems in accessing the database warehouse. Apparently,\n                   the CSIRC had not been using the SAAS since the\n                   November 2002 system delivery date.\n                   The SAAS software performance and functionality\n                   problems also prevent the TIGTA from using the SAAS for\n                   identifying UNAX violations. The ATLAS was developed\n                   to obtain and analyze audit trail information from the IRS\xe2\x80\x99\n                   most used legacy system (IDRS) for updating and\n                   maintaining taxpayer accounts. The TIGTA\xe2\x80\x99s Office of\n                   Investigations (OI) is the primary user of the ATLAS and\n                   uses it to identify potential unauthorized accesses of\n                   taxpayer information by IRS employees. Once the SAAS\n                   became functional, the IRS had planned to discontinue its\n                   use of the ATLAS.\n                   However, the ATLAS is aging and, in the interim,\n                   significant funds must be expended to keep the system\n                   operational until the SAAS can become functional. The IRS\n                   contracted for hardware maintenance support covering\n                   Fiscal Years 2004 through 2006 for the ATLAS totaling\n                   approximately $584,000. Additionally, the IRS has\n                   allocated 2 employees in its spending plans for Fiscal\n                   Years 2004 and 2005, representing approximately $400,000\n                   in labor costs, to maintain the ATLAS (see Appendix IV for\n                   details on these costs). If the ATLAS fails, the TIGTA\n                   would lose its primary system for identifying unauthorized\n                   accesses by IRS employees. However, once the SAAS\n\n                                                                         Page 4\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n                   becomes operational, the resources expended to maintain\n                   the ATLAS can be used to support other IRS initiatives.\n                   Since the SAAS was accepted and deployed by the IRS, the\n                   TIGTA OI, with strong support from the Office of Mission\n                   Assurance, has continued to report its inability to use the\n                   SAAS. Numerous meetings have since been held with the\n                   PRIME contractor and the IRS to discuss this issue.\n\n                   Recommendations\n\n                   The Chief, Mission Assurance, should ensure:\n                   1. The SAAS performance and functionality requirements\n                      are adequately tested and implemented so that the IRS\n                      and the TIGTA can perform queries and generate audit\n                      trail reports.\n                   Management\xe2\x80\x99s Response: Management agreed with this\n                   recommendation. The IRS and the PRIME contractor have\n                   developed a schedule that includes requirements for testing\n                   and evaluating audit trail capabilities for the IDRS and\n                   modernized applications. Testing for modernized\n                   application audit trails is scheduled to begin in August 2004\n                   and be completed by October 31, 2004. The Office of\n                   Mission Assurance will participate in the testing to help\n                   ensure that users can access and retrieve audit trail\n                   information.\n                   2. Alternatives are developed for reviewing audit trails for\n                      modernized applications in the event the SAAS\n                      deficiencies cannot be corrected.\n                   Management\xe2\x80\x99s Response: Management partially agreed\n                   with our recommendation. The IRS maintained it has\n                   conducted sufficient testing to accept that the current SAAS\n                   approach is an effective approach for supporting Security\n                   and Business Organization requirements for identifying\n                   unauthorized access and intrusion detection. However, if\n                   necessary, management will consider alternative approaches\n                   for reviewing modernized applications that do not contain\n                   taxpayer information. The IRS is ready to commit\n                   additional resources to ensure the success of the SAAS.\n                   Office of Audit Comment: We are hopeful that the IRS\n                   meets its new goal for making the SAAS functional by\n                                                                         Page 5\n\x0c                  The Audit Trail System for Detecting Improper Activities on\n                           Modernized Systems Is Not Functioning\n\n                                     October 2004. However, if delays persist, we would\n                                     encourage the IRS to begin looking for alternatives to the\n                                     SAAS.\n                                     To date, procedures for audit trail reviews using the SAAS\nProcedures for Reviewing Audit\n                                     have not been finalized beyond the general security policies,\nTrails on the Security Audit and\n                                     roles, and responsibilities. In addition, specific roles and\nAnalysis System Have Not Been\n                                     responsibilities (i.e., who will use the application, for what\nDeveloped\n                                     information, and for what purpose) have not yet been\n                                     established.\n                                     At the time the SAAS was deployed, the PRIME contractor\n                                     advised the IRS that many of the procedures for using the\n                                     SAAS were not clear. The transition plan provided by the\n                                     PRIME contractor identified necessary steps the IRS needed\n                                     to take.\n                                     One step called for the IRS to \xe2\x80\x9creview, revise/establish\n                                     security processes, policies and procedures.\xe2\x80\x9d The IRS\n                                     responded, \xe2\x80\x9c\xe2\x80\xa6 security policies are in place\xe2\x80\x9d and provided\n                                     no more support for this effort. The PRIME contractor also\n                                     indicated that the IRS\xe2\x80\x99 current policies and procedures did\n                                     not provide the details necessary to adequately analyze audit\n                                     trails.\n                                     The PRIME contractor also indicated that ownership\n                                     responsibilities for SAAS functions such as collecting audit\n                                     trail data, generating and reviewing security reports, and\n                                     determining who should have access to the SAAS had not\n                                     been defined.\n                                     Business unit managers of modernized applications are\n                                     primarily responsible for identifying questionable activities\n                                     on their applications. However, to ensure consistency and\n                                     that security requirements are met, the Office of Mission\n                                     Assurance (the business leader of the SAAS) should take an\n                                     active role by facilitating requirements analysis and\n                                     definition, and defining policy, roles, and responsibilities.\n                                     As a result of the delays in defining operating procedures,\n                                     the IRS business units still will not be in a position to\n                                     effectively review audit trails, even if the SAAS\n                                     performance issues are fully resolved. During our review,\n                                     in January 2004, the Office of Mission Assurance provided\n                                     additional procedures for certain manager reports and\n\n                                                                                            Page 6\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n                   acknowledged that additional procedures for modernized\n                   applications still need to be defined.\n                   Not having operating procedures, problems with software\n                   performance and functionality, and delays in addressing\n                   software problems collectively indicate that the IRS has not\n                   devoted sufficient attention to the review of audit trails.\n                   Consequently, improper activities on IRS modernized\n                   applications could go undetected.\n\n                   Recommendations\n\n                   The Chief, Mission Assurance, should ensure:\n                   3. The SAAS operating procedures (e.g., who will review\n                      audit trails, what information is needed, and for what\n                      purpose) are fully developed and finalized so that\n                      business units can conduct effective and efficient audit\n                      trail reviews of modernized applications.\n                   Management\xe2\x80\x99s Response: IRS management agreed with\n                   this recommendation. The Office of Mission Assurance is\n                   implementing a two-phased plan to provide business\n                   organizations and security personnel access to modernized\n                   applications audit trail data through the SAAS and will\n                   identify procedures in conjunction with business owners to\n                   help ensure that unauthorized activities are detected. The\n                   Office of Mission Assurance will also enhance its\n                   certification procedures for systems and applications to\n                   ensure that audit trail procedures are available.\n                   4. Periodic compliance reviews are conducted once the\n                      SAAS is functional to ensure the CSIRC and business\n                      unit managers carry out their roles and responsibilities to\n                      review audit trails.\n                   Management\xe2\x80\x99s Response: IRS management agreed with\n                   this recommendation. The Office of Mission Assurance will\n                   initiate compliance reviews on modernized applications\n                   within 120 days of their initial operating capability dates.\n                   According to current schedules, these reviews are scheduled\n                   to begin in March 2005.\n\n\n\n\n                                                                          Page 7\n\x0c                  The Audit Trail System for Detecting Improper Activities on\n                           Modernized Systems Is Not Functioning\n\n                                                                                                  Appendix I\n\n\n                         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the availability of audit trail data used to monitor computer\nactivity on the Internal Revenue Service\xe2\x80\x99s (IRS) modernized systems. To accomplish the\nobjective, we:\nI.      Determined whether the IRS had a system in place to monitor modernized systems and\n        whether the system collected sufficient data.\n        A. Reviewed and evaluated the IRS policies, procedures, and documentation, including\n           documentation prepared by the PRIME contractor1 applicable to the Security Audit\n           and Analysis System (SAAS).2\n        B. Identified information that should be captured in audit trails and determined if\n           modernized systems currently in production were collecting the appropriate audit trail\n           data.\n        C. Determined whether any mitigating controls were in place for audit trails on\n           modernized systems.\nII.     Determined whether audit trails were being monitored to detect improper activities by\n        employees, contractors, and registered/unregistered users.\n        A. Interviewed the SAAS project manager and planned users of the SAAS and identified\n           user efforts to use the SAAS for its intended purposes.\n        B. Determined whether modernized audit trails were being reviewed using the SAAS\n           and whether any improper activity was identified using the system.\n\n\n\n\n1\n  Computer Sciences Corporation serves as the PRIME contractor to design and develop modernization programs\nand projects for the IRS. The Business Systems Modernization Office within the IRS coordinates and oversees the\nwork of the PRIME contractor.\n2\n  Conceptually, the SAAS was intended to meet the IRS\xe2\x80\x99 audit trail needs for both modernized computer systems\nand the Integrated Data Retrieval System (the IRS computer system capable of retrieving or updating stored\ninformation; it works in conjunction with a taxpayer\xe2\x80\x99s account records).\n\n\n\n\n                                                                                                        Page 8\n\x0c               The Audit Trail System for Detecting Improper Activities on\n                        Modernized Systems Is Not Functioning\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nTheodore W. Grolimund, Audit Manager\nDavid J. Brown, Senior Auditor\nAnthony D. Knox, Senior Auditor\nLouis Lee, Senior Auditor\nGeorge L. Franklin, Auditor\n\n\n\n\n                                                                                         Page 9\n\x0c              The Audit Trail System for Detecting Improper Activities on\n                       Modernized Systems Is Not Functioning\n\n                                                                            Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nAssociate Chief Information Officer, Business Systems Modernization OS:CIO:B\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nDirector, Internal Management Systems OS:CIO:I:B:IM\nActing Director, Portfolio Management OS:CIO:R:PM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief, Mission Assurance OS:MA\n       Associate Chief Information Officer, Business Systems Modernization OS:CIO:B\n       Manager, Program Oversight and Coordination Office OS:CIO:R:PM\n\n\n\n\n                                                                                  Page 10\n\x0c                  The Audit Trail System for Detecting Improper Activities on\n                           Modernized Systems Is Not Functioning\n\n                                                                                                Appendix IV\n\n\n                                           Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to the Congress.\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Funds Put to Better Use \xe2\x80\x93 Potential; $584,372 (see page 2).\nMethodology Used to Measure the Reported Benefit:\nDuring our review we noted that the Audit Lead Analysis System (ATLAS) was to be replaced\nby the Security Audit and Analysis System (SAAS). Since the SAAS is not functioning as\nintended, the Internal Revenue Service (IRS) has had to contract1 for hardware maintenance\nsupport covering Fiscal Years 2004 through 2006 for the ATLAS.\nATLAS Hardware Maintenance Costs:\n        Fiscal Year 2004          $181,770\n        Fiscal Year 2005          $194,494\n        Fiscal Year 2006          $208,108\n        Total                     $584,372\nOnce the SAAS becomes operational, the funds expended to maintain the ATLAS could be used\nto support other IRS initiatives.\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Potential; $400,000 (see page 2).\nMethodology Used to Measure the Reported Benefit:\nDuring our review we noted that the ATLAS was to be replaced by the SAAS. Since the SAAS\nis not functioning as intended, the IRS has allocated 2 full-time equivalent (FTE)2 employees\n($200,000 in labor costs) in its spending plans for Fiscal Years 2004 and 2005 to continue the\nsupport of the ATLAS. This represents a total of $400,000 ($200,000 * 2) in labor costs for the\n2 years. Once the SAAS becomes operational, the employee resources expended to maintain the\nATLAS could potentially be used to support other IRS initiatives.\n\n\n\n1\n Source: IRS Contract Number NK20188090.\n2\n A measure of labor hours in which 1 FTE is equal to 8 hours multiplied by the number of compensable days in a\nparticular fiscal year. For example, in Fiscal Year 2004, 1 FTE is equal to 2,096 staff hours.\n                                                                                                        Page 11\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n                                                              Appendix V\n\n\n     Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                  Page 12\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 13\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 14\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 15\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 16\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 17\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 18\n\x0cThe Audit Trail System for Detecting Improper Activities on\n         Modernized Systems Is Not Functioning\n\n\n\n\n                                                              Page 19\n\x0c'